Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities.
In this pull request those are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.
The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with `../`, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.
The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.